Data Privacy in the United States

Written by Michael Sakamoto

Introduction

Information technology has become intertwined with our daily lives, and its reach continues to expand far beyond what anyone could have previously imagined. With these technological advances come new legal issues; issues which could not have been foreseen by the legal minds of the old world. One such advance is in the field of information technology and big data, both of which have multiple implications about individual data privacy.

With the rise of these new technologies, governments around the world have taken measures to safeguard their citizens’ data privacy. [1] One such measure is the European Union’s General Data Protection Regulation (GDPR), a comprehensive data privacy regulation governing the entirety of the EU, granting its citizens explicit rights to their personal data such as the right of access, right to erasure, right to restrict processing, etc. [2]

Unlike the EU, however, the United States does not have a comparable comprehensive federal privacy law. [3] Currently, individual data privacy protection in the U.S. takes a sectoral approach, fragmented into multiple separate federal and state laws which are often tailored for very specific purposes. [4] Though the Fourth Amendment of the U.S. Constitution does protect certain aspects of an individual’s privacy, its scope is limited and does not address digital age privacy concerns regarding technology. [5] State-specific laws like the California Consumer Privacy Act (CCPA) or Illinois Biometric Information Privacy Act (BIPA) and federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) only cover residents of certain states or only protect specific personal data. As such, to understand the current state of privacy legislation in the U.S., we must examine the history of privacy laws in the United States.

Federal Legislation

The U.S. Privacy Act of 1974

Following the Watergate scandal, which exposed the illegal surveillance and investigation of individuals by federal agencies, Congress wanted to address the growing privacy concern about the storage of individuals’ personal information on computers, so they created new privacy rights regarding an individual’s personal data. [6] The Privacy Act of 1974 was created as a response to these concerns and protects individuals against unwarranted invasions of privacy by federal agencies. [7]

These rights include provisions found in modern privacy statutes, granting individuals the right to access, restrictions on the disclosure of information, and the right to amend. [8] The access provision grants individuals the right to access any records a federal agency may have about them, the disclosure restrictions prevent government agencies from sharing individuals’ personal data with other agencies, and the amendment provision grants individuals the right to amend any records which may be incorrect. [9] The rights conferred by the U.S. Privacy Act bear many similarities to rights granted to EU citizens by the GDPR. However, these rights are limited to protecting the privacy of individuals from federal agencies.

Health Insurance Portability and Accountability Act (HIPAA)

 In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted to improve the healthcare system in the U.S. [10] Title II of the Act, the HIPAA Privacy Rule, created privacy regulations regarding the use and disclosure of Protected Health Information (PHI), requiring health care providers to ensure that PHI be handled in a secure manner. [11] Healthcare providers are also required to notify patients of their data protection practices, and patients have the right to restrict how healthcare providers use their PHI under HIPAA. [12] Like the U.S. Privacy Act of 1974, the regulations enforced by the HIPAA Privacy Rule give a right to notice, a right to restriction and disclosure, and a right for individuals to amend their health information. [13]

The U.S. Privacy Act of 1974 and HIPAA are prime examples of how the U.S. has previously dealt with privacy concerns while laying the foundation for future privacy legislation. Since then, the U.S. government has signed additional acts such as the Gramm-Leach-Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), and many others. [14] While each of these Acts works in conjunction to enable decently strong privacy regulations in the U.S., individual data privacy rights are limited to those categories because each Act is specifically tailored to protect the privacy of specific categories of personal information, unlike the GDPR’s comprehensive regulation of privacy rights. [15] What this means is that until the U.S. adopts a nationwide comprehensive data privacy regulation, certain aspects of individual data privacy will be left unregulated. Until then, state privacy laws help to fill in the gaps of federal privacy regulation. [16]

State Privacy Laws

The United States’ sectoral approach to data privacy protections leaves much of personal data largely unregulated. [17] As more states recognize the shortcomings of the U.S.’s approach to data privacy laws, certain states have enacted their own privacy legislation to protect their citizens’ individual data privacy. Currently, only five states have enacted comprehensive consumer privacy laws: California, Colorado, Connecticut, Virginia, and Utah. [18] While other states have also proposed privacy legislation, these proposed bills are still in the legislative process. [19] Each state’s corresponding consumer privacy laws are similar and grant comparable privacy rights. However, the California Privacy Rights Act (CPRA) is the most comprehensive privacy statute in the nation and the most comparable to the EU’s GDPR. [20]

The California Consumer Privacy Act and the California Privacy Rights Act

Modeled after the EU’s GDPR, the CCPA of 2018 vows to give consumers more control over their personal information, granting consumers the right to their own privacy. [21] Like the GDPR, the CCPA is a comprehensive privacy regulation, having similar disclosure requirements and privacy rights. [22] This act was amended in 2020 by the California Privacy Rights Act (CPRA), which expands the CCPA and is often referred to as version 2.0 of the CCPA. [23]

The CPRA applies to the collection of all personal information collected by a business from consumers and grants consumers explicit rights regarding their personal data. [24] Much like the GDPR, the CPRA grants California residents certain privacy rights, such as the right to amend, right to access, right to restrict processing, etc. [25] Unlike federal legislation, the CPRA regulates all categories of personal data collected by organizations and businesses about California residents. [26]

While the CPRA does offer greater protections to individuals’ data privacy, the main issue with the CPRA and other similar state privacy laws is that they are limited to covering only those individuals in their respective states. Until a regulation like the GDPR is adopted federally by the U.S., individual data privacy rights will continue to be incomplete and inconsistent across the United States.

Future of National Privacy Legislation

While current data privacy protections in the U.S. are incomplete, recent proposals suggest that a federal comprehensive data privacy regulation may be on the horizon. The American Data Privacy and Protection Act (ADPPA) is a federal comprehensive data privacy bill that was introduced in the U.S. House of Representatives in 2022 and is currently awaiting approval by Congress. [27] The proposed bill’s main purpose is to establish requirements for how companies handle the personal data they gather about their users and give individuals explicit rights to their personal data. [28] Taking elements and language from past federal privacy statutes, the GDPR, and state privacy statutes, the proposed ADPPA would require express consent from data subjects in order to collect or process sensitive covered data.

The ADPPA bill itself has strong bipartisan support. However, there are still a few obstacles it must overcome before becoming law. One major focus has been on the ADPPA’s preemption of state laws, as certain states already have existing privacy laws that offer stronger privacy protections than the proposed ADPPA. [29] As the state with the strongest privacy law, California has been reluctant to allow the ADPPA to preempt its existing privacy regulation, the CPRA. Former House Speaker, Nancy Pelosi, who represents California, remarked that California “leads the nation not only in innovation, but also in consumer protection” adding that because of this “it is imperative that California continues offering and enforcing the nation’s strongest privacy rights.” [30] While there is debate as to whether the ADPPA or CPRA offer stronger privacy protections, both the ADPPA and CPRA do have notable differences which would affect many aspects of how data privacy is regulated.

In the meantime, while the proposed federal comprehensive privacy bill is being debated by Congress, more states are opting to enact their own comprehensive consumer privacy laws to protect their citizens’ personal data. [31] While this is a promising step toward the protection of individual privacy rights, each state takes a different approach to its respective privacy laws, leading to inconsistencies in privacy regulation and further fragmentation of privacy rights among U.S. citizens.

Closing Thoughts

Until Congress passes the ADPPA or any other similar comprehensive federal data privacy framework, individuals across the United States will have to rely on past federal privacy laws and/or their state’s respective privacy laws to protect their data. Privacy laws have rapidly progressed in recent years, and a growing number of people are recognizing the importance of having data privacy protections. Data privacy laws in the United States are on the cusp of reform, and comprehensive federal privacy laws may be enacted very soon.


References

[1] Sarah O’Brien and Asélle Ibraimova, The Fourth Anniversary of the GDPR: How the GDPR Has Had a Domino Effect, REED SMITH LLP (May 24, 2022), https://www.technologylawdispatch.com/2022/05/privacy-data-protection/the-fourth-anniversary-of-the-gdpr-how-the-gdpr-has-had-a-domino-effect/ [https://perma.cc/KM7U-4PYE].

[2] Commission Regulation 2016/679, General Data Protection Regulation, 2016 O.J. (L 119) 1.

[3] Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), N.Y. TIMES (Sept. 6, 2022), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/ [https://perma.cc/G89G-GSRT].

[4] Id.

[5] Laura Hecht-Felella, The Fourth Amendment in the Digital Age, BRENNAN CTR. FOR JUST., (Mar. 18, 2021), https://www.brennancenter.org/our-work/policy-solutions/fourth-amendment-digital-age [https://perma.cc/MRF2-HTAE].

[6] BJA, Privacy Act of 1974, 5 U.S.C. § 552a, https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1279#vf4tzl [https://perma.cc/BU9T-HDFD].

[7] Id.

[8] Privacy Act of 1974, 5 U.S.C. § 552a.

[9] USDOJ, Overview of the Privacy Act of 1974, https://www.justice.gov/archives/opcl/policy-objectives[https://perma.cc/5C3W-3RKM].

[10] Summary of the HIPAA Privacy Rule (Oct. 19, 2022), U.S. DEPT. HEALTH & HUM. SERVS., https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html [https://perma.cc/RE6L-RCTH].

[11] Id.

[12] Id.

[13] Id.

[14] David Harrington, U.S. Privacy Laws: The Complete Guide, VARONIS, (Sept. 2, 2022), https://www.varonis.com/blog/us-privacy-laws [https://perma.cc/7LXA-NFFF].

[15] Daniel J. Solove, The Growing Problems with the Sectoral Approach to Privacy Law, TEACHPRIVACY (Nov. 13, 2015), https://teachprivacy.com/problems-sectoral-approach-privacy-law/ [https://perma.cc/A5SG-TDS6].

[16] Id.

[17] Stacey Gray, Long Overdue: Comprehensive Federal Privacy, FUTURE OF PRIV. F., (Dec. 9, 2022), https://fpf.org/blog/fpf-comments-on-a-national-baseline-consumer-privacy-law/ [https://perma.cc/U73G-J3HC].

[18] See US State Privacy Legislation Tracker, INT’L ASS’N PRIV. PROS. (March 17, 2023), https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf [https://perma.cc/7K5H-LW4E].

[19] Id.

[20] Paul Bischoff, Internet Privacy Laws by State: Which US States Best Protect Privacy Online?, COMPARITECH (Jan. 9, 2023), https://www.comparitech.com/blog/vpn-privacy/which-us-states-best-protect-online-privacy/[https://perma.cc/CJB7-B27N].

[21] Office of the Attorney General, California Consumer Privacy Act (CCPA), CA DEPT. JUST. (Feb. 15, 2023), https://oag.ca.gov/privacy/ccpa [https://perma.cc/6ERZ-SFV].

[22] Eric Goldman, An Introduction to California’s Consumer Privacy Laws (CCPA and CPRA), SANTA CLARA UNIV. LEGAL STUD. RSCH. PAPER (July 2021), https://ssrn.com/abstract=3896176 [https://perma.cc/6DVM-JS7Y].

[23] Id.

[24] Id.

[25] Id.

[26] Id.

[27] The American Data Privacy and Protection Act, A.B.A. (Aug. 30, 2022), https://www.americanbar.org/advocacy/governmental_legislative_work/publications/washingtonletter/august-22-wl/data-privacy-0822wl/ [https://perma.cc/EU3P-JSU2].

[28] Id.

[29] Joseph Duball, State Views on Proposed ADPPA Preemption Come into Focus, INT’L ASS’N PRIV. PROS. (Sept. 27, 2022), https://iapp.org/news/a/state-level-views-on-proposed-adppa-preemption-come-into-focus/[https://perma.cc/556X-LZDJ].

[30] Id.

[31] Jennifer Huddleston, Data Privacy Day 2023: Where Data Privacy Policy Stands at the Start of 2023, CATO INST. (Jan. 27, 2023), https://www.cato.org/blog/data-privacy-day-2023-where-data-privacy-policy-stands-start-2023[https://perma.cc/8VUG-8JRW].